[aur-general] checksums

Johannes Löthberg johannes at kyriasis.com
Sat Oct 4 14:00:09 UTC 2014


>> Use GPG to verify the integrity of the download and calculate the
>> checksum locally for yourself. Users of your package have to trust you
>> anyway, as you can basically do anything to your package, anyway.
>>
>> Best regards,
>> Karol Babioch
>
>OK, you have a point, understood.

For reference, a PGP signature is a hash of the file encrypted with the 
public key, so that people that have the public key can decrypt the hash 
and verify that the file they have is the one that upstream published.

-- 
Sincerely,
  Johannes Löthberg
  PGP Key ID: 0x50FB9B273A9D0BB5
  https://keybase.io/johannes
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 1495 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/aur-general/attachments/20141004/93fadef3/attachment-0001.bin>


More information about the aur-general mailing list